I am going through Web Api in Asp.Net using Visual Studio 2013.I am using Asp.Net Web Api Template.I am able to build a simple client that can register and login with the API.I got Bearer Token When user login and i send this token in header for accessing data from my API.Now i wanted to know how this Token in get/post request is working in API side.
When i made this API work with Windows Azure Storage I have not seen any table that saves these token corresponding to users.so where these token goes.
I can't speak for these particular tokens, however other token frameworks that I used (DotnetOpenAuth) just encrypt the username and access scope and create a ticket out of it.
It is similar to what the Forms Authentication module does. There is also no table to map issued cookies to users and this is because the cookie can just be decrypted at the server side.
Think about the token as a standalone encrypted information rather than an internal id to data that has to be persisted at the server side.
Related
I have a web api server on lets say, api.app.com which serves data for my app and i have a separate web server on www.app.com which serves users the pages for the app. I am using a JWT created on the webapi to Authorize the user. The token is created when the client logs in from the login page served on www.app.com with a username and a password. I want www.app.com (web server) to send a request to api.app.com (web api) to authenticate the user and then store the token gotten from the web api inside a cookie on the client.
Then i want only api authenticated clients to have access to pages on the web server, while the web server gets data from the web api on the behalf of the client per request.
I have checked everywhere online, without a clear solution to this
Web apis are usually consumers of JWT tokens. Once received they validate the token, and check claims and proceed based on the result. Your environment is a little confusing to me.
It seems your api app is used as an identity server as well as data provider. It is best to separate these concerns.
I have a Next.js website I'm working on and a dotnet core API connected to a SQL Server database. I have a login page and intend to create a page to add new users and was wondering how I could do this using dotnet core identity? I added the NextAuth.js package thinking I could utilize it, however it seems to work best if connecting directly to the database and not go through an API.
I managed to return the token to NextAuth.js but I don't know where to go from there. How can I use next-auth to manage the session? Or is there a better way to go about doing this without using NextAuth.js?
My reason for using dotnet core identity is because it already has support for roles and setup is fairly simple and makes authorizing different sections of the API easy. Based on a user's role, they should be authorized to access certain routes or view certain pages.
I tried looking at the following doc from microsoft Intro to auth for SPA, but it's not exactly clear to me how I can manage the session.
First, generally, when we using JWT authentication, the workflow as below:
Client sends a request (which contains the user information, such as: name and password) to server for token
Server receives the user information and checking for authorization. If validated success, server generates a JWT token.
Client receives the token and stores it somewhere locally.
Client sends the token in the future requests.
Server gets the token from request header, computes Hash again by using a) Header from token b) payload from token c) secret key which server already has.
If ("newly computed hash" = "hash came in token"), token is valid otherwise it is tempered or not valid
After configure your application uses Identity and JWT authentication. When a User login, you could send the user information to the server side and check if the current user is valid or not, then generate a JWT token, and on the client side you could store the token in the web storage. After that, when you want to access the resource by passing this token into the authentication HTTP header. More detail information, please refer to the following article: JWT Authentication In ASP.NET Core
I have a .net core web API server that I connect to from a mobile application. The server creates an invoice on Xero and sends the user an email etc...
I have been using oAuth 1 with no issues, but now need to switch to oAuth 2. As there is no front end-user on the API server, can this still be accomplished?
All the documentation I read, seems to need a manual login to grant authorization and get an access token?
I was using the XeroApi settings in my appsettings.json file with a pfx certificate and a private app.
I am using the C# SDK
Thanks in advance :-)
You'll need a user from the Xero organisation to go through the OAuth2.0 flow at least once to retrieve an access token. If you request the offline_access scope during this flow, you'll receive a refresh token as well; this will enable you to refresh the access token from your web server on an ongoing basis, without user intervention.
So yep, you'll need a manual login at least once, but as long as you request & retain the refresh token from that initial flow, once should be enough.
I am trying to wrap my ahead around using JWT to secure a WEB API written in C#, but am getting hung up on a few things. From my understanding the flow should be something like this:
Client provides username/password to the Web API from some client application (Angular, .NET, Mobile, etc)
The Web API validates that the username/password is correct and then generates a JWT (JSON Web Token) that contains the user's roles, information, expiration date, and other relevant information.
The JWT is sent back to the client application.
The client application hangs on to the JWT and sends it with future requests.
Assuming the above is correct (and please let me know if it is not), I am having trouble understanding the following things.
Once the Web API has validated the username/password and created the JWT, how does the JWT get passed back? Do I somehow add it to an HttpResponseMessage object? I can't seem to find a clear answer on this.
How should the client application pass the JWT back? Is this in the JSON data, appended to the URL, added to headers?
I see plenty of tutorials referencing OWIN and OAUTH. What are these and why do I need them? I am holding the user credentials and roles in the database used by the WEB API.
Once the Web API has validated the username/password and created the
JWT, how does the JWT get passed back? Do I somehow add it to an
HttpResponseMessage object?
Common practice is on success, the response from the service has the status code 200 OK in the response header, and token related data in the response body
200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token": "NgCXRK...MzYjw",
"token_type": "Bearer",
"expires_at": 1372700873,
"refresh_token": "NgAagA...Um_SHo"
}
How should the client application pass the JWT back? Is this in the
JSON data, appended to the URL, added to headers?
Using the access token to make authenticated requests
Now that you have a token, you can make authenticated requests to the API. This is done by either setting the HTTP Authorization header or query string in the request depending on how the server is configured.
in a header
Authorization: Bearer NgCXRK...MzYjw
as a parameter
GET http://localhost:35979/v2/endpoint?access_token=NgCXRK...MzYjw
I see plenty of tutorials referencing OWIN and OAUTH. What are these
and why do I need them?
OWIN — Open Web Interface for .NET http://owin.org/
OWIN defines a standard interface between .NET web servers and web
applications. The goal of the OWIN interface is to decouple server and
application, encourage the development of simple modules for .NET web
development, and, by being an open standard, stimulate the open source
ecosystem of .NET web development tools.
OWIN OAuth 2.0 Authorization Server
The OAuth 2.0 framework enables a third-party app to obtain limited
access to an HTTP service. Instead of using the resource owner’s
credentials to access a protected resource, the client obtains an
access token (which is a string denoting a specific scope, lifetime,
and other access attributes). Access tokens are issued to third-party
clients by an authorization server with the approval of the resource
owner.
I have a website which contains lot of user informations. I want to share those with client website through proper authentication. As I am going to develop this api using asp.net mvc 4, I selected DotnetOauth for providing authentication.
If a website want to access my data from website, they have to register with my developer website, after the registration that website will generate Consumer key and Secret Key. After the registration, for each api request the client will pass these keys. Up to this is done.
Using this Consumer Key and Secret Key, client will send api request and if the valid token is not available in the request, it will redirect to login page. After the successful login, a token will generate and client can use this token for furthor request up to the expiry.
Anybody have idea about creating token based on Consumer Key and Secret Key with the help of DotnetOauth. Iam using Asp.net MVC
Thanks
In order to create an access token using DNOA, you should implement the interface IAuthorizationServerHost. The method CreateAccessToken is the responsible of creating the token.
I recommend you to download DotNetOpenAuth samples, and have a look to 'OAuthAuthorizationServer' project.
Hope this help.